Exploit
CVE-2024-9807

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

Published: Oct 10, 2024 / Updated: 40d ago

010
CVSS 5.1EPSS 0.05%Medium
CVE info copied to clipboard

Summary

A vulnerability was found in Craig Rodway Classroombookings 2.8.7 and classified as problematic. This issue affects some unknown processing of the file /sessions of the component Session Page. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely.

Impact

This cross-site scripting (XSS) vulnerability could allow an attacker to inject malicious scripts into the Session Page of Classroombookings. If successfully exploited, it could lead to theft of sensitive information, manipulation of web content, or redirection of users to malicious websites. The attack requires high privileges and user interaction, which somewhat limits its potential impact. The vulnerability affects the integrity and confidentiality of the system to a low degree, but does not impact availability.

Exploitation

One proof-of-concept exploit is available on github.com. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. Upgrading to version 2.8.8 of Classroombookings addresses this issue.

Mitigation

1. Upgrade Classroombookings to version 2.8.8 as soon as possible. 2. If immediate upgrading is not possible, implement input validation and output encoding for the Name argument in the Session Page component. 3. Consider implementing Content Security Policy (CSP) headers to mitigate the risk of XSS attacks. 4. Educate users with high privileges about the risks of XSS and how to identify potential attacks. 5. Monitor for any suspicious activities or unexpected script executions in the Session Page component.

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9807

Oct 10, 2024 at 7:15 PM
First Article

Feedly found the first article mentioning CVE-2024-9807. See article

Oct 10, 2024 at 7:16 PM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Oct 10, 2024 at 7:16 PM
CVSS

A CVSS base score of 2.4 has been assigned.

Oct 10, 2024 at 7:20 PM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 16.4%)

Oct 11, 2024 at 10:19 AM
CVSS

A CVSS base score of 4.8 has been assigned.

Oct 17, 2024 at 2:45 PM / nvd
Proof of Concept (PoC) Released

A proof of concept exploit has been released

Oct 17, 2024 at 5:12 PM
Static CVE Timeline Graph

Affected Systems

Classroombookings/classroombookings
+null more

Exploits

https://github.com/JunMing27/CVE/blob/main/CVE%20-%20classroombookings%20Cross%20Site%20Scripting%20(XSS)%20at%20create%20and%20edit%20session%20page%20via%20Administrator%20Dashboard.md
+null more

Attack Patterns

CAPEC-209: XSS Using MIME Type Mismatch
+null more

News

CVE-2024-9807 Exploit
CVE Id : CVE-2024-9807 Published Date: 2024-10-17T14:44:00+00:00 A vulnerability was found in Craig Rodway Classroombookings 2.8.7 and classified as problematic. This issue affects some unknown processing of the file /sessions of the component Session Page. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.8.8 is able to address this issue. It is recommended to upgrade the affected component. The project maintainer was contacted early about the disclosure. He responded very quickly, friendly, and professional.
CVE Alert: CVE-2024-9807 - https://www. redpacketsecurity.com/cve_aler t_cve-2024-9807/ # OSINT # ThreatIntel # CyberSecurity # cve_2024_9807
CVE-2024-9807
Gravedad 3.1 (CVSS 3.1 Base Score) This issue affects some unknown processing of the file /sessions of the component Session Page.
NA - CVE-2024-9807 - A vulnerability was found in Craig Rodway...
A vulnerability was found in Craig Rodway Classroombookings 2.8.7 and classified as problematic. This issue affects some unknown processing of the file /sessions of the component Session Page. The...
CVE-2024-9807
This issue affects some unknown processing of the file /sessions of the component Session Page. It is recommended to upgrade the affected component.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI